This article covers a version of CentOS that is no longer supported. If you are currently operating a server running CentOS 6, we highly recommend upgrading or migrating to a supported version of CentOS.
Reason: CentOS 6 reached end of life (EOL) on November 30th, 2020 and no longer receives security patches or updates. For this reason, this guide is no longer maintained.
This guide might still be useful as a reference, but may not work on other CentOS releases. If available, we strongly recommend using a guide written for the version of CentOS you are using.
The following DigitalOcean tutorial may be of immediate interest, as it outlines installing and configuring OpenVPN on a CentOS 7 server:
This article will guide you through the setup and configuration of OpenVPN server on your CentOS 6 cloud server. We will also cover how to configure your Windows, OS X, or Linux client to connect to your newly installed OpenVPN server.
Before we begin, you'll need to have the Extra Packages for Enterprise Linux (EPEL) Repository enabled on your cloud server. This is a third party repository offered by the Fedora Project which will provide the OpenVPN package.
wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm rpm -Uvh epel-release-6-8.noarch.rpm
First, install the OpenVPN package from EPEL:
yum install openvpn -y
OpenVPN ships with only a sample configuration, so we will copy the configuration file to its destination:
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
Now that we have the file in the proper location, open it for editing:
nano -w /etc/openvpn/server.conf
Our first change will be to uncomment the "push" parameter which causes traffic on our client systems to be routed through OpenVPN.
push "redirect-gateway def1 bypass-dhcp"
We'll also want to change the section that immediately follows route DNS queries to Google's Public DNS servers.
push "dhcp-option DNS 184.108.40.206" push "dhcp-option DNS 220.127.116.11"
In addition, to enhance security, make sure OpenVPN drops privileges after startup. Uncomment the relevant "user" and "group" lines.
user nobody group nobody
Now that we've finished modifying the configuration file, we'll generate the required keys and certificates. As with the configuration file, OpenVPN places the required scripts in the documentation folder by default. Create the required folder and copy the files over.
mkdir -p /etc/openvpn/easy-rsa/keys cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa
With the files in the desired location, we'll edit the "vars" file which provides the easy-rsa scripts with required information.
nano -w /etc/openvpn/easy-rsa/vars
We're looking to modify the "KEY_" variables, located at the bottom of the file. The variable names are fairly descriptive and should be filled out with the applicable information.
Once completed, the bottom of your "vars" file should appear similar to the following:
export KEY_COUNTRY="US" export KEY_PROVINCE="NY" export KEY_CITY="New York" export KEY_ORG="Organization Name" export KEY_EMAIL="firstname.lastname@example.org" export KEY_CN=droplet.example.com export KEY_NAME=server export KEY_OU=server
OpenVPN might fail to properly detect the OpenSSL version on CentOS 6. As a precaution, manually copy the required OpenSSL configuration file.
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
We'll now change into our working directory and build our Certificate Authority, or CA, based on the information provided above.
cd /etc/openvpn/easy-rsa source ./vars ./clean-all ./build-ca
Now that we have our CA, we'll create our certificate for the OpenVPN server. When asked by build-key-server, answer yes to commit.
We're also going to need to generate our Diffie Hellman key exchange files using the build-dh script and copy all of our files into /etc/openvpn as follows:
./build-dh cd /etc/openvpn/easy-rsa/keys cp dh1024.pem ca.crt server.crt server.key /etc/openvpn
In order to allow clients to authenticate, we'll need to create client certificates. You can repeat this as necessary to generate a unique certificate and key for each client or device. If you plan to have more than a couple certificate pairs be sure to use descriptive filenames.
cd /etc/openvpn/easy-rsa ./build-key client
Create an iptables rule to allow proper routing of our VPN subnet.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE service iptables save
Then, enable IP Forwarding in sysctl:
nano -w /etc/sysctl.conf # Controls IP packet forwarding net.ipv4.ip_forward = 1
Finally, apply our new sysctl settings. Start the server and assure that it starts automatically on boot:
sysctl -p service openvpn start chkconfig openvpn on
You now have a working OpenVPN server. In the following steps, we'll discuss how to properly configure your client.
Now that your OpenVPN server is online, lets configure your client to connect. The steps are largely the same regardless of what operating system you have.
In order to proceed, we will need to retrieve the ca.crt, client.crt and client.key files from the remote server. Simply use your favorite SFTP/SCP (Secure File Transfer Protocol/Secure Copy) client and move them to a local directory. You can alternatively open the files in nano and copy the contents to local files manually. Be aware that the client.crt and client.key files will are automatically named based on the parameters used with "./build-key" earlier. All of the necessary files are located in /etc/openvpn/easy-rsa/keys
nano -w /etc/openvpn/easy-rsa/keys/ca.crt nano -w /etc/openvpn/easy-rsa/keys/client.crt nano -w /etc/openvpn/easy-rsa/keys/client.key
With our certificates now on our client system, we'll create another new file called client.ovpn, where "client" should match the name of the client being deployed (from build-key), the contents should be as follows, substituting "x.x.x.x" with your cloud servers IP address, and with the appropriate files pasted into the designated areas. Include only the contents starting from the "BEGIN" header line, to the "END" line, as demonstrated below. Be sure to keep these files as confidential as you would any authentication token.
client dev tun proto udp remote x.x.x.x 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 <ca> Contents of ca.crt </ca> <cert> Contents of client.crt </cert> <key> Contents of client.key </key>
As all of the required information to establish a connection is now centralized in the .ovpn file, we can now deploy it on our client system.
On Windows, regardless of edition, you will need the official OpenVPN Community Edition binaries which come prepackaged with a GUI. The only step required post-installation is to place your .ovpn configuration file into the proper directory (C:\Program Files\OpenVPN\config) and click connect in the GUI. OpenVPN GUI on Windows must be executed with administrative privileges.
On Mac OS X, the open source application "Tunnelblick" provides an interface similar to OpenVPN GUI on Windows, and comes prepackagd with OpenVPN and required TUN/TAP drivers. As with Windows, the only step required is to place your .ovpn configuration file into the ~/Library/Application Support/Tunnelblick/Configurations directory.
On Linux, you should install OpenVPN from your distributions official repositories. You can then invoke OpenVPN by simply executing:
sudo openvpn --config ~/path/to/client.ovpn
Congratulations! If you made it this far you should now have a fully operational VPN running on your cloud server. You can verify that your traffic is being routed through the VPN by checking Google to reveal your public IP.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Click below to sign up and get $200 of credit to try our products over 60 days!
Enter your email to get $200 in credit for your first 60 days with DigitalOcean.
I wrote a script to automate most of the task in the article. You can get it from here.
It’s still a work in progress and any contribution is welcome.
create article, “service iptables save” failed in my case on (Ubuntu 20.04.1 LTS) to make the iptables persistant
i found this: iptables-save >/etc/iptables/rules.v4 ip6tables-save >/etc/iptables/rules.v6
I’ve really enjoyed/benifited from running an Algo vpn on a droplet for some months. It works great.
Algo uses IPSec, not Open VPN. -> https://github.com/trailofbits/algo
cp /usr/share/doc/openvpn-2.3.12/sample/sample-config-files/server.conf /etc/openvpn
Where is east-rsa 2.0?
Where is dh1024.pem
With the latest easy-rsa 2.0, it generated 2048 key. So you need change the name to dh2048.pem
when I try to connect on my iPad I get
EVENT: CORE_ERROR PolarSSL: error parsing ca certificate: X509 - The CRT/CRL/CSR format is invalig, e.g. different type expected [ERR]
what should I do?
This comment has been deleted
Hi. 99% of the time DigitalOcean tutorials work flawlessly for me but I’m having quite a bit of trouble with this one here–any help would be appreciated. Is it possible for the author to update this tutorial? Based on the amount of customization that people’ve had to go through and the number of requests for an update in the comments, I feel one is warranted…
There are a couple of things that I could use some clarification on: 1 - If I’m modifying the vars file’s “export KEYS_<xxx>” section, there is no KEY_CN…should I just add that? and if I do so, then when building these keys, do I just press enter for each and every single question I’m asked up until I say yes to commit (in other words, put a ‘blank’ answer) …? Does this apply to ALL the keys we’re generating? Or do I need different CNs for server and client side…?
2 - I ended up downloading easy-rsa w/ yum installer … tutorial should update this to reflect that because it’s missing
3 - for this portion: <ca> Contents of ca.crt </ca> <cert> Contents of client.crt </cert> <key> Contents of client.key </key> I’m not clear — I paste the contents but do I keep those <ca></ca> and <cert></cert> parameters? Or just literally paste the contents of those keys back to back?
– Also, what do you mean the “client” in the file should match the name of the client from the build-key?? Is that something I’m naming or defining during the creation of they keys? So unclear…
4 - Lastly, there is no such thing as a Configurations folder in side of ~/Library/Application\ Support/Tunnelbick/Configurations. There is only: petadeer $ pwd /Library/Application Support/Tunnelbick petadeer $ ls Logs Shared Tblks Users So, should I make the folder or just leave it in the Tunnelbick folder?
5 - In the comments, someone made the following remark: Change: export KEY_CONFIG=
$EASY_RSA/whichopensslcnf $EASY_RSATo: export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf And save… ^ what does this do, and why do we need to do it?
hi, while i enter source ./vars i got an error Please source the vars script first (i.e. “source ./vars”) Make sure you have edited it to reflect your configuration.
i am root of this server.
I notice most ‘VPN setup guide’ are assuming that you want to - “push traffic on VPN client to be routed through OpenVPN.”
Sometimes, this may not be the case. You just want to be able to connect to some services on your VPN server through private network IP. Having all traffic routed to the VPN server can cause extra bandwidth used on your VPN server. Any malicious activities caused by your VPN client are counted to your VPN server too. Thus burden your VPN server unnecessary.
Therefore, I suggest the following command to be optional:
push “redirect-gateway def1 bypass-dhcp” push “dhcp-option DNS 18.104.22.168” push “dhcp-option DNS 22.214.171.124” Steps in “Routing Configuration and Starting OpenVPN Server”